miSafes Mi-Cam remote video monitors suffer from broken session management, insecure direct object reference, password handling issues, and various other vulnerabilities.
f0202ce5d47ca2fd6e32d3c4ab466eec
We have published an accompanying blog post to this technical advisory with
further information:
https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html
SEC Consult Vulnerability Lab Security Advisory < 20180221-0 >
=======================================================================
title: Hijacking of arbitrary video baby monitors
product: miSafes Mi-Cam remote video monitor
vulnerable version: Android application v1.2.0, iOS v1.0.5
Firmware v1.0.38
fixed version: -
CVE number: -
impact: critical
homepage: http://www.misafes.com/mi-cam
found: 2017-11-30
by: Mathias Frank (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal
Moscow - Munich - Kuala Lumpur - Singapore
Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Mi-CamHD, Wi-Fi remote video monitor for everyone; 720P HD quality video, easy
set up & use, two-way talk and supports free local video recording, all can be
use by our user friendly Mi-Cam app."
Source: http://www.misafes.com/mi-cam
Business recommendation:
------------------------
SEC Consult recommends not to use this device until a thorough security review
has been performed by security professionals and all identified issues have
been resolved! Although cloud-connected hardware may have an advantage regarding
usability and convenience for users, if security is lacking those products pose
a great risk for all customers.
Furthermore, it seems there exist similar products from other vendors, e.g.
"Qihoo 360 Smart Home Camera", that look exactly the same and may also be
affected but SEC Consult could not verify this. The cloud component hosted by
"qiwocloud2.com" may be used by other products as well. Additional information
regarding other vendors are described in our blog post linked at the top of this
advisory.
Vulnerability overview/description:
-----------------------------------
The usage of the Mi-Cam video baby monitor and its Android (or iOS) application,
involves numerous requests to a cloud infrastructure available at
ipcam.qiwocloud2.com with the aim of communicating with the video baby monitor or
respective Android application.
The Android application has at least 50000-100000 installations according to
Google Play Store with potentially as many iOS users as well.
SEC Consult has identified multiple critical security issues within this product.
1) Broken Session Management & Insecure Direct Object References
The usage of the Android application "Mi-Cam" and the interaction with the
video baby monitor involves several different API calls. A number of critical API
calls can be accessed by an attacker with arbitrary session tokens because of
broken session management.
This allows an attacker to retrieve information about the supplied account
and its connected video baby monitors. Information retrieved by this feature
is sufficient to view and interact with all connected video baby monitors for
the supplied UID.
2) Missing Password Change Verification Code Invalidation
The password forget functionality sends a 6-digit validation key which is valid
for 30 minutes to the supplied email address in order to set a new password.
Multiple codes can be requested though while previously delivered codes do not get
invalidated and anyone of them can be used as a valid key. This can easily
be brute-forced to take over other accounts.
3) Available Serial Interface
The PCB of the video baby monitor holds an unlabeled UART interface where an
attacker is able to get hardware level access to the device and for instance
extract the firmware for further analysis. SEC Consult identified further security
issues such as outdated software (issue 6) or weak passwords (issue 4) by
analyzing the firmware using IoT Inspector (https://www.iot-inspector.com).
4) Weak Default Credentials
The "root" user available on the video baby monitor uses very weak default
credentials with only 4 digits.
5) Enumeration of user accounts
The password reset functionality leaks information about the existence of
supplied user accounts which can aid in further (brute-force) attacks.
6) Outdated and Vulnerable Software
Several software components which are affected by publicly known
vulnerabilities were identified in the firmware of the video baby monitor.
Proof of concept:
-----------------
As the vendor could not be reached in order to get the issues fixed we will omit
detailed proof of concept information in this advisory.
1) Broken Session Management & Insecure Direct Object References
Several functionalities are vulnerable because session tokens are not checked
properly and can be used without any valid user account.
Excerpt of API calls:
- /family/get_list
- /family/get_group_list
- /family/invite_join
- /family/change_name
- /family/unbind
Sending or respectively intercepting the following request and supplying an
arbitrary consecutively numbered UID, allows an attacker to retrieve information
about the supplied account and its connected video baby monitors. Information
retrieved by this feature is sufficient to view and interact with all connected
video baby monitors for the supplied UID.
<HTTP POST request PoC removed>
2) Missing Password Change Verification Code Invalidation
By sending the following request to "/user/request_email_code", a validation key
can be requested:
<HTTP POST request PoC removed>
This request can be sent multiple times in order to increase the possibility
for a successful brute-force attack on the validation key. Each requested
validation key is valid for 30 minutes and can be used to reset the password.
During the period of the assessment, the following two sender addresses could
be observed:
- [email protected]
- [email protected]
3) Available Serial Interface
Unlabeled and grouped through-hole pins located on the PCB of the video baby
monitor can be used to connect to a UART interface. This leads to access to
the boot loader and extraction of the firmware for further analysis.
Further information regarding the hardware including screenshots can be found
at our blog post:
https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html
4) Weak Default Credentials
By analysing the extracted firmware or by simply perfoming a brute force attack,
it is possible to identify the following very weak 4-digit default credentials
used by the video baby monitor:
root:<redacted>
5) Enumeration of user accounts
By sending the following request to "/user/request_email_code", it is possible
to gain information about the existence of registered user accounts by observing
the response:
<HTTP POST request PoC removed>
The HTTP response contains information of either the existence or non-existence
of the supplied email address.
<HTTP server response removed>
This behavior can also be observed using the "/user/check_username" request.
6) Outdated and Vulnerable Software
The following publicly known vulnerable software componenents were identified
in the firmware of the video baby monitor by using IoT Inspector:
- BusyBox 1.22.1 - multiple CVE
- hostapd 0.8.x - CVE-2015-8041
- OpenSSL 1.0.1j - multiple CVE
- Linux Kernel 2.6.35 - multiple CVE
Vulnerable / tested versions:
-----------------------------
During our investigation the main focus was to analyse the communication between
the app, the video baby monitor and the cloud infrastructures but not the
applications (Android, iOS) themselves.
Android Application:
- Mi-Cam v1.2.0 (most up to date version in November 2017)
Video baby monitor:
- Firmware 1.0.38 (most up to date version in November 2017)
It is assumed that the iOS app v1.0.5 is affected as well, as the vulnerabilities
are within the server-side API.
Vendor contact timeline:
------------------------
2017-12-06: Contacting vendor through [email protected]
2018-01-03: Resending initial contact approach
2018-01-29: Resending initial contact approach
2018-02-07: Attempting to contact China CNCERT/CC (PGP encrypted), received
"550 Mail content denied" from their mailserver,
resending unencrypted without attachments, same error message
2018-02-07: Contacting CERT/CC, asking for coordination support
2018-02-12: Asking CERT/CC again
2018-02-12: CERT/CC has decided not to coordinate or publish this vulnerability
2018-02-21: Public release of security advisory
Solution:
---------
The vendor could not be reached and there is no update available.
Workaround:
-----------
It is highly recommended not to use this product as there is no workaround
available.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal
Moscow - Munich - Kuala Lumpur - Singapore
Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Mathias Frank / @2018